[Samba] Group policy management per OU

Juan Asensio Sánchez okelet at gmail.com
Tue Sep 17 03:06:49 MDT 2013

Hi all

We are testing to migrate our multiple domain Samba3-LDAP system to Samba4.
As Samba 4 doesn't support multiple domains, we will convert every domain
into an OU, delegating the administration of each OU to a specific group of
users. Our environment has about 38 OUs and thousand of users and
computers, so we want each OU admin group can manage also the group
policies. I have read a lot, but I have not seen anything about the
creation and modification of group policies per OU, just giving permissions
to and existing GPO. What I would like is to allow admin groups of each OU
create and modify their own GPOs, without needing to request the "central"
administrators to create one and give permissions to it. In brief, what I
have read:

- If a OU admin user wants to create a GPO, he must have rights to manage
all GPOs, or a admin user have to create previously a GPO and give
permissions to that GPO to the user, and then the OU admin user can link it
and edit it.

What I would like to:

- Each OU admin user can create GPOs and modify (and link) the GPOs he has
created, but not modify (or delete or link) the GPOs that other OUs admin
users have created.

Is this possible or just a dream? :D


More information about the samba mailing list